What we did
We used a proven automated tool to scan government owned, internet facing websites (web applications) for vulnerabilities. We reviewed the results from the tool and eliminated as many false positives as possible to provide application owners with valuable results so that they could focus their efforts on correcting vulnerabilities. We reported our findings to application owners, who in some cases had already remediated the vulnerabilities we found. Once the web application owners remediated the vulnerabilities, we rescanned the websites to confirm the vulnerabilities no longer existed.